[rocqua]

To do this formally, you need to consider information entropy. This is all about how you generated your password. 10 characters of totally random mixed case, numbers and punctuation gives about 60 bits of entropy which is strong enough.

HOWEVER, that calculation only works if all 10 characters were generated uniformly and randomly. Humans are terrible at this. Now, maybe your trick for turning words into safe passwords is great, but there is no way to be sure. Sadly, remembering 10 random characters is hard.

Luckily, easy to remember and strong passwords are possible. The system I would recommend is diceware: www.diceware.com

[column]

That diceware system is complete Snowden-level paranoia. Close the curtains! Burn after reading! For everyday techie joe a passphrase + a memorized complex password is just enough. If you're on the internet asking for a strong password method and reading diceware.com you may have your priorities set wrong like an untrained spy.

https://duckduckgo.com/?q=pwgen+strong+10&ia=answer

[samstave]

I would love to see a comparison between where physically and which modifiers are used for each character are, and the strength of a password.

Is a password which is very easy/comfortable to type out physically any more/less strong than another of the same length?

I ask this because I often use a visual pattern on the keyboard for a password and I don't recall which characters they may be, but I recall the pattern in need to type out on a qwerty kb

[Laforet]

Depends on how good the pattern is, however entropy is lower all likelihood because the layout of qwerty keyboard is standardised.

Most password crackong dictionary already include common keyboard patterns sich as "qwerfdsazxcv" or variations of it.

[joshjje]

There was a nice comic/picture of this. I tend to follow it. Basically using 3-4 short words as a phrase instead of random characters. You can toss special characters inbetween/before/after. They are also much easier to remember. Password "FoolMeOnce!ShameOnMe" for example.

[Dylan16807]

But you've gone and picked only one preexisting phrase, instead of independently-random words. That cripples the security of your password.

Making a phrase is okay, but you have to start with actually-random words.

[joshjje]

Well, it was an example, but I agree. For everything that I can I use keepass with better autogenerated random passwords, but for things like home WiFi and others that I may have to type in manually I'll use a phrase like this. A more random phrase is certainly more secure.

[freeflight]

For completeness sake, this is probably the comic you are referencing: https://xkcd.com/936/

[shpx]

    curl -s https://raw.githubusercontent.com/first20hours/google-10000-english/master/google-10000-english-no-swears.txt | shuf | head -n 4 | tr '\n' ' '; echo
    mine wear vacation mostly

log2(10^16) = 53 bits of entropy or 300 years if your attacker can do a million guesses per second (the link says 1000 keys per second, but that's on the CPU).

You could also use `cat /usr/share/dict/words` instead of the `curl`, which is a much larger word list, but you get impractical passwords like "globular cellulose's malnutrition's dangling".

[icebraining]

Careful, shuf is not cryptographically safe by default! You need to pass --random-source=/dev/urandom to get a proper RNG.

https://www.gnu.org/software/coreutils/manual/html_node/Rand...

[shpx]

Why does shuf implement its own random number generator? Why isn't /dev/urandom the default?

https://sockpuppet.org/blog/2014/02/25/safely-generate-rando...

[icebraining]

shuf is not a crypto tool, and the GNU coreutils are written to be cross-platform, even where /dev/urandom doesn't exist, or is unreliable. That's my guess, at least.

[joshjje]

Nice, yes that was the one, thanks.